Start11 - explorer exe phoning home

from Stardock Forums

Hi there, 

I've got extremely restrictive outbound rules even on my home-network firewalls, and I noticed that every single machine where I activated one of my Start11 licenses has explorer.exe attempting to establish outbound connections to "tnmi-static-110-209-79-66.ip.telnetww.com" from that respective day. I doubt that this is a coincidence.

That happens at least every 24 hours, and it does not matter if the system is in use or idle. It is not caused by the regular update check (entirely different executable and a dedicated task in task scheduler that could be disabled, and the time does not match), so what is it and what purpose does it serve? Can it be disabled in another way than simply blocking it via firewall?

I will not allow 3rd party software to hijack explorer.exe for any kind of outbound communication and I would honestly advise Stardock to remove whatever function is responsible - or at least move it to the main executable. I was thinking about introducing Start11 at my company, but something like this makes it impossible due to compliance reasons.

thanks and regards
Seb

start menu products
1,741 views 8 replies
Reply #1 from Stardock Forums Top

Seriously, I am a bit surprised that nobody at Stardock seems to have an answer?

I did a little bit of digging with Sysinternals tools and there's no doubt that it's the Stardock Start11 (10) DLL:

this event in explorer exe

Date: 12.02.2026 22:50:54,5608607

Thread: 13176

Class: Registry

Operation: RegQueryValue

Result: NAME NOT FOUND

Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers\SendDnsToHost

Duration: 0.0000640

Length: 16

ends up firing this (bunch of windows-dlls/processes before and after:

11 Start10_64.dll SetWB1 + 0x1c955 0x7ffe0a816335 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

12 Start10_64.dll SetWB1 + 0x1c130 0x7ffe0a815b10 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

13 Start10_64.dll SetWB1 + 0xd21b 0x7ffe0a806bfb C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

14 Start10_64.dll SetWB1 + 0x64a70 0x7ffe0a85e450 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

15 Start10_64.dll SetWB1 + 0x26bf0 0x7ffe0a8205d0 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

16 Start10_64.dll SetWB1 + 0x25ae5 0x7ffe0a81f4c5 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

17 Start10_64.dll SetWB1 + 0x25926 0x7ffe0a81f306 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

18 Start10_64.dll SetWB1 + 0x43fc8 0x7ffe0a83d9a8 C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

19 Start10_64.dll SetWB1 + 0x842aa 0x7ffe0a87dc8a C:\Program Files (x86)\Stardock\Start11\Start10_64.dll

On being blocked it attempts the same with different target ports a bunch of times before eventually giving up.

There must be some reason for it, and I'd really like to know it.
Especially as that same request does only seem to be made through explorer.exe and not Start11 "itself".

Reply #2 from Stardock Forums Top

Start11 runs most things inside explorer and this will be where activation checks and update checks take place.  The only other processes running for Start11 run at much higher user rights which would be poor choices for this.  Almost all the Stardock apps work like this and always have done.

As for the URL itself, I am unsure why it would be trying to go there unless thats a check for internet query as it should be hitting SD servers only.  I will ask someone who will know to investigate.

Galactic Civilizations IV
Reply #3 from Stardock Forums Top

Thanks, the purpose you mentioned could be reasonable (and most likely is), but even then it would be better if it pointed to a Stardock domain (ideally a subdomain with a "speaking name") and not some generic reverse DNS of some hoster/ISP. 
Maybe that could be changed in a future patch?

Reply #4 from Stardock Forums Top

Hi Seb,

Our software is configured to use the hostname of activate.api.stardock.net for our endpoints.  I can only assume that your firewall tools are reporting the ptr record of the IP for the requested hostname instead of displaying the requested hostname itself.

 

Reply #5 from Stardock Forums Top

thanks. I'll have to investigate why that happens, calls to other (sub)domains show the actual target.

Does it result in any loss of functionality in case the application cannot contact "activate.api.stardock.net"? If I introduce the application to the company network there will be a bunch of clients that are behind extremely restrictive proxies, updates etc. will be done centralized.

 

Reply #6 from Stardock Forums Top

Quoting SebSebsensen, reply 3

Thanks, the purpose you mentioned could be reasonable (and most likely is), but even then it would be better if it pointed to a Stardock domain (ideally a subdomain with a "speaking name") and not some generic reverse DNS of some hoster/ISP. 
Maybe that could be changed in a future patch?

Sorry for butting in, but I find networking questions interesting sometimes.

I just wanted to point out that this association of DNS vs IP is completely normal... and it's actually rare to see a "friendly" name for a server that a program is trying to contact.  A program will try to contact a friendly hostname by asking Windows for a DNS lookup.  Windows might use an external resolver, internal cache or even internal overrides.  In the end, it gets an IP address to use and the program will use that directly. 

Any program that you use to "sniff" this connection out will only know about the IP/port and might do a reverse lookup to get a name.  But this is somewhat disingenuous as the DNS lookup and connection are separate things.  This is even more the case for firewalls outside of the PC.  Sure, the sniffer could get lucky and detect a DNS lookup right before the connection... but Windows might use its DNS cache from earlier.

If you run: nslookup activate.api.stardock.net
You will receive: activate.api.stardock.net => 66.79.209.110

However, if you try to get a reverse lookup with ping -a, you'll get something different.
66.79.209.110 => tnmi-static-110-209-79-66.ip.telnetww.com

Do the same experiment with google.com...
google.com => 142.251.210.46
142.251.210.46 => lclgaa-ba-in-f14.1e100.net

Friendly domain names can point to multiple IPs and IPs can have multiple domain names point to it.  You shouldn't expect them to match up.

Reply #7 from Stardock Forums Top

You're right, and maybe the problem is that I am not too familiar with how Windows behaves in that regard - I am more or less "forced" to still run some machines with Win11 and respective software.

All the windows machines run "netlimiter" in addition to the on-board firewall, and the interceptions happen at client level. Weird thing is, that I usually / almost exclusively see outbound requests like these ones: "checkip.dyndns.org", "dyndns.kasserver.com" or e.g "xxx.devolutions.com" for the licensing server of my preferred windows remote desktop manager. The only one that somehow ends up in displaying a reverse dns is Start11.

Maybe I should file a bug report with netlimiter...

Reply #8 from Stardock Forums Top

I admit it would be neat if they kept a database of common lookups for IP addresses and showed you the friendly name when known.  It would certainly be a nice feature.  Looking at resmon output of domain names is almost as non-sensical as the raw IP address.

It would probably have to be a local database in relation to DNS lookups, though.  You'd get too many technically correct but unexpected domain matches if it was a global database against a shared hosting IP.